IOS HTTP Server Command Injection Vulnerability

Available Languages

Updated:December 10, 2011
Document ID:1454800189594177

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Cisco Security Advisory

IOS HTTP Server Command Injection Vulnerability

High
Advisory ID:
cisco-sa-20051201-http
First Published:
2005 December 1 21:00 GMT
Version 2.0:
Final
Workarounds:
See below
Cisco Bug IDs:
CSCsc64976
CVE-2005-3921
CVSS Score:
Base 7.6, Temporal 6.9Click Icon to Copy Verbose Score
AV:N/AC:H/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:C
CVE-2005-3921

Summary

  • A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.

    Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.

    This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20051201-http.

Affected Products

  • This section provides details on affected products.

    Vulnerable Products

    This security advisory applies to all Cisco products that run Cisco IOS Software versions 11.0 through 12.4 with the HTTP server enabled. A system which contains the IOS HTTP server or HTTP secure server, but does not have it enabled, is not affected.

    To determine if the HTTP server is running on your device, issue the show ip http server status and show ip http server secure status commands at the prompt and look for output similar to: 

    Router>show ip http server status
HTTP server status: Enabled

    If the device is not running the HTTP server, you should see output similar to: 

    Router>show ip http server status
HTTP server status: Disabled

    Any version of Cisco IOS prior to the versions which will be listed in the Fixed Software section below may be vulnerable.

    Products Confirmed Not Vulnerable

    Cisco IOS XR is not affected.

    To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS Software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output.

    The following example identifies a Cisco product running IOS release 12.3(6) with an installed image name of C3640-I-M: 

    Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-I-M), Version 12.3(6), RELEASE SOFTWARE (fc3)

    The next example shows a product running IOS release 12.3(11)T3 with an image name of C3845-ADVIPSERVICESK9-M: 

    Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.3(11)T3, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.

    Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html.

    No other Cisco products are currently known to be affected by these vulnerabilities.

Details

  • The Cisco IOS Web browser interface (which enables the device to perform as an HTTP server) allows configuration and monitoring of a router or access server using any web browser. This feature was introduced in IOS 11.0.

    A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks.

    In order to be vulnerable to the cross-site scripting attack, a user must browse and view the content during the same period of time the injected code exists in memory. On the other hand, if a user does not browse contaminated dynamic content on the device, then exploitation is not possible.

    A proof of concept exploit exists for this vulnerability, in which the exploit attempts to reset the enable password on the device. For the attack to work against the device itself, the user browsing tainted dynamic content on the router will only be able to execute commands at or below the privilege level for which they are authenticated and authorized for on the device.

    This vulnerability is documented in Cisco Bug ID CSCsc64976 ( registered customers only) .

Workarounds

  • If the HTTP server is not used for any legitimate purposes on the device, it is a best practice to disable it by issuing the following commands in configure mode: 

    no ip http server
no ip http secure-server

    Disable the HTTP WEB_EXEC Service

    A feature was introduced in 12.3(14)T and later in which selective HTTP and HTTPS services could be enabled or disabled. The WEB_EXEC service provides a facility to configure the box and retrieve the current state of the box from remote clients.

    It is possible to disable the WEB_EXEC service while still leaving other HTTP services active. If an installation does not require the use of the WEB_EXEC service, then it may be disabled using the following procedure:

    1. Verify the list of all session modules.
      Router#show ip http server session-module 
HTTP server application session modules: 
 Session module Name  Handle Status   Secure-status  Description 
HTTP_IFS              1      Active   Active         HTTP based IOS File Server 
HOME_PAGE             2      Active   Active         IOS Homepage Server 
QDM                   3      Active   Active         QOS Device Manager Server 
QDM_SA                4      Active   Active         QOS Device Manager Signed Applet Server 
WEB_EXEC              5      Active   Active         HTTP based IOS EXEC Server 
IXI                   6      Active   Active         IOS XML Infra Application Server 
IDCONF                7      Active   Active         IDCONF HTTP(S) Server 
XSM                   8      Active   Active         XML Session Manager 
VDM                   9      Active   Active         VPN Device Manager Server 
XML_Api               10     Active   Active         XML Api 
ITS                   11     Active   Active         IOS Telephony Service 
ITS_LOCDIR            12     Active   Active         ITS Local Directory Search 
CME_SERVICE_URL       13     Active   Active         CME Service URL 
CME_AUTH_SRV_LOGIN    14     Active   Active         CME Authentication Server 
IPS_SDEE              15     Active   Active         IOS IPS SDEE Server 
tti-petitioner        16     Active   Active         TTI Petitioner
    2. Create a list of session modules that are required, in this example it would be everything other than WEB_EXEC.
      Router#configuration terminal
Router(config)#ip http session-module-list exclude_webexec 
             HTTP_IFS,HOME_PAGE,QDM,QDM_SA,IXI,IDCONF,XSM,VDM,XML_Api,
             ITS,ITS_LOCDIR,CME_SERVICE_URL,CME_AUTH_SRV_LOGIN,IPS_SDEE,tti-petitioner
    3. Selectively enable HTTP/HTTPS applications that will service incoming HTTP requests from remote clients. 
      Router(config)#ip http active-session-modules exclude_webexec 
Router(config)#ip http secure-active-session-modules exclude_webexec 
Router(config)#exit
    4. Verify the list of all session modules, and ensure WEB_EXEC is not active.
      Router#show ip http server session-module 
HTTP server application session modules: 
 Session module Name  Handle Status   Secure-status  Description 
HTTP_IFS              1      Active   Active         HTTP based IOS File Server 
HOME_PAGE             2      Active   Active         IOS Homepage Server 
QDM                   3      Active   Active         QOS Device Manager Server 
QDM_SA                4      Active   Active         QOS Device Manager Signed Applet Server 
WEB_EXEC              5      Inactive Inactive       HTTP based IOS EXEC Server 
IXI                   6      Active   Active         IOS XML Infra Application Server 
IDCONF                7      Active   Active         IDCONF HTTP(S) Server 
XSM                   8      Active   Active         XML Session Manager 
VDM                   9      Active   Active         VPN Device Manager Server 
XML_Api               10     Active   Active         XML Api 
ITS                   11     Active   Active         IOS Telephony Service 
ITS_LOCDIR            12     Active   Active         ITS Local Directory Search 
CME_SERVICE_URL       13     Active   Active         CME Service URL 
CME_AUTH_SRV_LOGIN    14     Active   Active         CME Authentication Server 
IPS_SDEE              15     Active   Active         IOS IPS SDEE Server 
tti-petitioner        16     Active   Active         TTI Petitioner

    For further information on selective enabling of applications using an HTTP or secure HTTP server, consult the Cisco IOS network management configuration guide, release 12.4T at: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_http_app_enable.html

    Avoid the use of Web-based SHOW commands

    Successful exploitation of this vulnerability requires an unsuspecting user to request dynamic content from the device via the "show" commands which are available. Avoiding the use of those commands via the web interface until an upgrade to fixed software is possible may be perfectly legitimate for some installations.

Fixed Software

Exploitation and Public Announcements

  • This vulnerability was disclosed in a public posting to the Bugtraq mailing list.

    We would like to thank iDefense for finding and initially reporting this vulnerability to us.

    We would also like to thank Mr. Adrian Pastor from ProCheckup Ltd for sharing information with us about another possible vector into this vulnerability. His research paper is available at http://www.procheckup.com/vulnerability_manager/vulnerabilities/paper-04 leavingcisco.com.

    The Cisco PSIRT is not aware of any malicious use of the vulnerability described in this advisory.

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Action Links for This Advisory

Related to This Advisory

URL

Revision History

  • Revision 2.0

    29-March-2010

    Updated the Software Versions and Fixes section.

    Revision 1.3

    22-October-2009

    Updated the Exploitation and Public Announcements to include additional researcher information.

    Revision 1.2

    19-June-2009

    Revised the Disable the HTTP WEB_EXEC Service section.

    Revision 1.1

    14-January-2006

    Added additional advisory credits.

    Revision 1.0

    1-December-2005

    Initial public release.

    Show Less

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Action Links for This Advisory

Related to This Advisory